Solved

SBS 2003 and Server 2008 shared folder privileges?

Posted on 2010-11-24
7
622 Views
Last Modified: 2012-05-10
Hi All,

We currently have 3 different sites which are interlinked via a VPN.  The main site is running on SBS 2003, and the other 2 are running on server 2008.  All users have access to 3 shared folders through the network, but these are all top level folders.  Meaning that all users can view everything on each shared folder.  Some folders such as the admin folder is set up for a few users and denies access to the rest.

My question is, what is the best practice to set these folders up to make sure that certain users only can view what they require?  Should I set up a separate shared folder for each are? I.e, accounts, sales, quotations etc?  Create user groups and just add the higher privileged users there?  Is it bad the way these folders are currently set up?

Any help would be appreciated.
0
Comment
Question by:choy77
  • 4
  • 2
7 Comments
 
LVL 9

Expert Comment

by:dmessman
ID: 34206244
there are many ways to do this and it's based on your persona preference.  But the extent to which you create different shares should be based on how large you expect the restricted resource to be.

You definitely should create multiple security groups - accounting, admin, sales, etc.  Add members to groups as appropriate.  

For accounting, make a whole new share.  But then if there's one folder within accounting that's super private, you wouldn't make a whole new share.  Just restrict permissions to a group based on that.  For example, if there was a folder that contained salary information that regular accountants and only the CFO and CEO should see, don't make a whole new share - just create a new security group that only contains the CFO and CEO and protect that folder.  

I generally follow that theory - large folder hierarchies get their own share and drive letter.  Tiny folder hierarchies just get restricted by security group.  Medium folder hierarchies - your call.
0
 

Author Comment

by:choy77
ID: 34206718
Ok, that makes sense, thanks for the information.  So, say I create a new security group for users I only want to be able to access the accounts folder, how do I go about denying access to the folder for every other user?  Or even hiding the folder so people cannot view it?  Are you aware of a lot of companies that operate this way with having shared folder like this?  Or is this living dangerously?

Thanks.
0
 

Author Comment

by:choy77
ID: 34206757
On another note, is there a prefix in which new security groups should be given? Or a way in which they should be named?

Thanks
0
Do email signature updates give you a headache?

Are you constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 

Author Comment

by:choy77
ID: 34206869
And how can I stop users from deleting folders which they have note created, and put certain users in a group who will be able to delete folders/files etc?
0
 

Expert Comment

by:sivra
ID: 34207503
You can go to that top level folder properties, security.  Click the advanced button, edit button, select a user or group, click edit.  Now there is a drop down that probably says "This folder, subfolders, and files".  You can change the Everyone permission here to this folder only.  This allows users and groups to view the subfolders, but you can individually assign permissions to those folders now without an inherited permission from the root folder.  

Remember that the deny permission always overides allow permissions.
0
 
LVL 9

Accepted Solution

by:
dmessman earned 500 total points
ID: 34229936
To stop users from accessing or deleting folders they don't have access to, don't give them access.  You shouldn't really need to set deny permissions.

Let's say you have an accounting folder with subfolders of A, B, and C.  You want all accountants to access A and B, but only a group of accountants called CFO to access C.  

Create a share called accounting.  

For the accounting share, give the accountants group full control to the accounting share and all subfolders (as described above by sivra).

Now, go to folder C.  Edit the security group permissions and remove accountants group.  Add the CFO group.  Apply to that folder and all subfolders.  Now, acocuntants won't be able to access that folder.  There is no deny permission - but no allow permission, so only members of the CFO group will be able to access it.

0
 

Author Closing Comment

by:choy77
ID: 34360731
Thanks for your help
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Microsoft  Partnership 1 69
Windows IPv6 DHCP server 8 37
Need script to search multiple files in one drive 13 36
Manage printers on workstation from print server 4 51
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now